NERC CIP

NERC CIP — Critical Infrastructure Protection Standards

RegulationNorth America

NERC CIP is a set of mandatory cybersecurity standards for the bulk electric system in North America. Enforced by FERC, the 14 active standards (CIP-002 through CIP-015) cover asset categorisation, electronic security perimeters, personnel training, incident response, and supply chain risk management. Non-compliance carries financial penalties.

Also explore

GDPR DORA NIS2 SOC 2 HIPAA PCI DSS ISO 27001 CMMC IEC 62443 MITRE ATT&CK ICS CISA CPGs Saudi OTCC NIST CSF 2.0 NIST 800-53 NIST 800-171 CIS Controls CSA CCM CSA CAIQ

Active Standards

FERC

Enforced By

CIP-015

Latest (2025)

Mandatory

For BES Operators

Who Needs to Comply

Registered BES Entities

Transmission operators and owners
Generation owners and operators
Reliability coordinators and balancing authorities
Distribution providers with High/Medium impact BES Cyber Systems

Supply Chain Participants

Vendors providing BES Cyber System components
Manufacturers of grid control and protection equipment
Third-party service providers with remote access to BES systems
Software developers for energy management systems

Key Compliance Areas

CIP-002/003

Asset Categorization & Security Management

BES Cyber System impact rating (High/Medium/Low) and security management controls, policies, and governance.

CIP-004/005

Personnel & Electronic Security

Security awareness training, background checks, electronic security perimeters, and remote access controls.

CIP-006/007

Physical & System Security

Physical security plans for BES Cyber Systems, patch management, malware prevention, and ports/services controls.

CIP-008/009

Incident Response & Recovery

Cyber security incident reporting within 1 hour for certain categories, recovery plans with annual testing requirements.

CIP-010 to CIP-015

Configuration, Supply Chain & Monitoring

Configuration change management, information protection, supply chain risk management, and internal network security monitoring (CIP-015 effective Oct 2028).

How Orizon Helps

BES Cyber System Identification

Categorize all assets per CIP-002 impact ratings (High, Medium, Low) based on their role in the bulk electric system.

Electronic Security Perimeter Design

Define and document Electronic Security Perimeters (ESPs) and Interactive Remote Access controls per CIP-005.

Personnel & Training Program

Implement CIP-004 security awareness training, background verification, and access authorization procedures.

Physical Security Controls

Deploy CIP-006 physical protection measures at facilities housing applicable BES Cyber Systems.

Incident Response & Recovery Plans

Create, document, and annually test incident response (CIP-008) and recovery plans (CIP-009).

Evidence Collection & Audit Readiness

Maintain comprehensive evidence documentation for NERC compliance audits and self-certifications.

Official Sources

Assess Your Compliance

Expert guidance for your NERC CIP compliance journey.

Get Started